Secondaries and slaves are intended to use the logOp() hook to keep their role graphs up-to-date with replicated changes to the admin.system.roles collection. Unfortunately, secondaries and slaves are bypassing this hook during apply-ops in favor of directly calling one of the hook methods invoked by logOp().
Proposed fix is to ensure that secondaries and slaves call logOp() just like primaries do, though they may decide to run different hook functions than the primary.